GoogleOSV:GHSA-G43X-PCC9-F472Jenkins Compuware Common Configuration Plugin vulnerable to Improper Restriction of XML External Entity Reference
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
58.3%
Jenkins Compuware Common Configuration Plugin 1.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers able to change the contents of the Topaz Workbench CLI home directory on agents to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
References
github.com/jenkinsci/compuware-common-configuration-plugin
github.com/jenkinsci/compuware-common-configuration-plugin/commit/351a46798cdc10479cb6966f05a51bc2174806a0
github.com/jenkinsci/compuware-common-configuration-plugin/commit/8410fd5e0a619200f5bc2e906ecba940e8506436
github.com/jenkinsci/compuware-common-configuration-plugin/commit/a92f1fba5ab375cfcceed92a16666a4c709e0f3b
github.com/jenkinsci/compuware-common-configuration-plugin/pull/24
nvd.nist.gov/vuln/detail/CVE-2022-41226
www.jenkins.io/security/advisory/2022-09-21/#SECURITY-2832
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
58.3%